ClassLink Devise OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected

Question

I've looked through various similar issues and responses but to no avail. Sorry if this is obvious but OAuth is not my area of expertise.

I'm running Rails 5.2 with Ruby 2.74 and Devise. I have SSO set up with Facebook and it works fine. I'm trying to get it working with ClassLink, but I'm stuck. When clicking on our ClassLink dashboard icon (ClassLink website), it opens a new browser window to our site, as it should, but fails to log in as that user. A user with the same email is set up on both ends. The server error is

15:14:51 web.1 | D, [2022-09-01T15:14:51.715485 #1139413] DEBUG -- omniauth: (classlink) Callback phase initiated. 15:14:51 web.1 | E, [2022-09-01T15:14:51.720435 #1139413] ERROR -- omniauth: (classlink) Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected

The Omniauth-Classlink Gem calls for a devise.rb entry of

config.omniauth :class_link, 'your-classlink-access-key', 'your-classlink-secret', strategy_class: 'OmniAuth::Strategies::ClassLink'

but with that last parameter (strategy_class), the server won't start and exits with an error:

NoMethodError: undefined method `new' for "OmniAuth::Strategies::ClassLink":String

so I'm leaving that off since it wasn't required for my working Facebook SSO.

On the failed login I'm getting the following log entry:

Processing by Users::OmniauthCallbacksController#failure as HTML Parameters: {"code"=>"c166206446884317a72fa1c03772a2b622c9135c526e7a", "response_type"=>"code"} Redirected to https://dtest.pagekite.me/?locale=en Filter chain halted as :authorize rendered or redirected Completed 302 Found in 8ms (ActiveRecord: 0.0ms)

The domain registered on ClassLink matches our server and the callback url is correct. The permissions, routes, callback function, etc. all look OK to me (again, pretty much identical to Facebook). Any suggestions on where I might look next?

Thanks.

Answer 1

It sounds like you have a few different problems going on here.

15:14:51 web.1 | D, [2022-09-01T15:14:51.715485 #1139413] DEBUG -- omniauth: (classlink) Callback phase initiated. 15:14:51 web.1 | E, [2022-09-01T15:14:51.720435 #1139413] ERROR -- omniauth: (classlink) Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected

In the request phase, you receive a state parameter with a random value. The omniauth-oauth2 strategy (from which the omniauth-classlink strategy is subclassed) stores this value in the session. In the callback phase, you again receive a state parameter and it must match the one received in the request phase. This error almost always means there is something wrong with your session

NoMethodError: undefined method `new' for "OmniAuth::Strategies::ClassLink":String

The value of the strategy_class option should be the class name constant. Removing the quotes should fix it.

Processing by Users::OmniauthCallbacksController#failure as HTML Parameters: {"code"=>"c166206446884317a72fa1c03772a2b622c9135c526e7a", "response_type"=>"code"} Redirected to https://dtest.pagekite.me/?locale=en Filter chain halted as :authorize rendered or redirected Completed 302 Found in 8ms (ActiveRecord: 0.0ms)

This is Devise trying to authorize the callback request when it should not be. Is your Users::OmniauthCallbacksController calling authenticate_user! in a before action or inheriting that behavior from a parent class?